The vulnerability occurs because the Bold Page Builder plugin does not properly neutralize user supplied data during web page generation, enabling a DOM‑based cross‑site scripting attack. An attacker can inject malicious script that will execute in the context of the victim’s browser when the page is rendered, potentially allowing credential theft, session hijacking, or defacement. This flaw is categorized as CWE‑79 and can compromise the confidentiality and integrity of user data exposed through the affected editor.

The flaw exists in the Bold Page Builder plugin from versions prior to and including 5.5.2, developed by boldthemes. Any WordPress site that has this plugin installed at or below 5.5.2 is vulnerable.

The CVSS score of 6.5 classifies the issue as a medium severity vulnerability. The EPSS score of less than 1% indicates a low probability of exploitation in the wild as of the latest assessment. The vulnerability is not currently listed in the CISA KEV catalog, but because it requires only a crafted URL or form input, a local or remote attacker who can entice a user to visit a malicious link could trigger it. The risk to an organization depends on how broadly this plugin is used and whether users are exposed to untrusted input via the builder interface.